Sunday, February 9, 2014

Mass deploying and updating Suricata IDPS with Ansible

aka The Ansibility side of Suricata

Talking about multiple deployments of Suricata IDPS and how complicated it could be to do it all... from compiling and installing to configuring on multiple server/locations .. actually ... it is not with Ansible.

Ansible is a radically simple IT automation platform that makes
your applications and systems easier to deploy. Avoid writing scripts
or custom code to deploy and update your applications— automate in a
language that approaches plain English, using SSH, with no agents to
install on remote systems. http://ansible.com/

If you follow this article you should be able to update/upgrade multiple Suricata deployments with a push of a button. The set up Ansible play-book scripts in this article are available at github HERE , with detailed explanations inside the suricata-deploy.yaml (which has nothing to do with the Suricata's suricata.yaml).

Custom modules can be added if needed - written on ANY language
(perl/C/python/JAVA....).

Secure transport and deployment of the whole execution process.(SSL encrypted).

Fast , parallel execution. (10/20/50... machines at a time).

Staggered deployment - continue with the deployment process only if
the first batch succeeds.

Works over slow and geographically dispersed connections - "fire and
forget" mode- Ansible will start execution, and periodically log in
and check if the task is finished, no need for always ON connection.

Fast, secure connection - for speed Ansible can be configured to use a
special SSL mode that is much faster than the regular ssh connection,
while periodically(configurable) regenerating and using new encryption
keys.

On-demand task execution - "push the button".

Roll-back on err - if the deployment fails for some reason, Ansible
can be configured to roll back the execution.

Auto retries - can be configured to automatically retry failed
tasks...for a number of times or until a condition is met.

Cloud - integration modules to manage cloud services exist.

All that until the tasks are done(or interrupted) or the default
(configurable) Ansible connection limit times out.

What you need: On the remotely managed servers

What you need to do on the devices that are going to be remotely managed (for example 10.10.10.192 in this tutorial) is -

to have the following packages installed:

sudo apt-get install python-crypto python-keyczar

and

1)
Add the public key for the user "SomeUser" (in this case), under the authorized_keys on that remote machine.Example directory would be /home/SomeUser/.ssh/authorized_keys . In other words password-less(without a pass-phrase) ssh key authentication.

2)
Make sure "SomeUser" has password-less sudo as well.
Then on the "central" machine (the one where you would be managing everything else from) you need to add this to your ssh_config:

Check

So let's see if everything is up and good to go(some commands you can try):

Above we use the built in "ping" module of Ansible. Notice our remote machine that we will manage - 10.10.10.192 or HP-Test1.

You can try as well:

ansible -m setup HP-Test1

You will receive a full ansible inventory of the HP-Test1 machine.

Run it

The set up in this article is available at github HERE , with detailed explanations inside the suricata-deploy.yaml.
All you need to do is git clone it and run it. Like so: